9 Advisories and 5 Updates – 4-14-20

Yesterday the CISA NCCIC-ICS published nine control system security advisories for products from Siemens (6), Triangle MicroWorks (2) and Eaton. They also published updates for five advisories for products from Siemens.

TIM Advisory

This advisory describes an active debug code vulnerability in the Siemens TIM communication modules. This vulnerability was self-reported. Siemens has new versions that mitigate the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an unauthenticated attacker with network access to gain full control over the device.

KTK Advisory

This advisory describes an uncontrolled resource consumption vulnerability in the Siemens KTK, SIDOOR, SIMATIC, and SINAMICS products. This vulnerability is self-reported. Siemens has updates available to mitigate the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to create a denial-of-service condition.

NOTE: This is the third-party, Interniche OS, SegmentSmack vulnerability.

SCALANCE Advisory

This advisory describes a resource exhaustion vulnerability in the Siemens SCALANCE and SIMATIC products. This vulnerability is self-reported. Siemens provided generic work arounds while they continue to work on mitigation measures.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to create a denial-of-service condition.

NOTE: This is the third-party, VX Works OS, SegmentSmack vulnerability.

SIMOTICS Advisory

This advisory describes a business logic error vulnerability in the Siemens SIMOTICS, Desigo, APOGEE, and TALON products. The vulnerability was self-reported. Siemens provided generic workarounds.

NCCIC-ICS reports that a relatively low-skilled attacker on an adjacent network could exploit this vulnerability to allow an attacker to affect the availability and integrity of the device.

Industrial Devices Advisory

This advisory describes two vulnerabilities in the Siemens IE/PB-Link, RUGGEDCOM, SCALANCE, SIMATIC and SINEMA products. The vulnerabilities are self-reported. Siemens has updates that mitigate the vulnerabilities.

The two reported vulnerabilities are:

• Resource exhaustion - CVE-2018-5390; and

• Improper input validation - CVE-2018-5391

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to  to affect the availability of the devices under certain conditions.

NOTE: This is the third-party, Linux OS, SegmentSmack vulnerability.

Climatix Advisory

This advisory describes two vulnerabilities in the Siemens Climatix product line. The vulnerability was reported by Ezequiel Fernandez from Dreamlab Technologies. Siemens has provided generic workarounds.

The two reported vulnerabilities are:

• Cross-site scripting - CVE-2020-7574; and

• Basic XSS - CVE-2020-7575

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow a remote attacker to execute arbitrary code to access confidential information without authentication.

TMW SCADA Advisory

This advisory describes three vulnerabilities in the Triangle Microworks (TMW) SCADA Data Gateway. The vulnerabilities were reported by Incite Team of Steven Seeley and Chris Anastasio, and Tobias Scharnowski, Niklas Breitfeld, and Ali Abbasi via the Zero Day Initiative. TMW has a new version that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Stack-based buffer overflow - CVE-2020-10615;

• Out-of-bounds read - CVE-2020-10613; and

• Type confusion - CVE-2020-10611

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to execute arbitrary code and disclose on affected installations of Triangle Microworks SCADA Data Gateway with DNP3 Outstation channels. Authentication is not required to exploit these vulnerabilities.

TMW DNP3 Advisory

This advisory describes a stack-based buffer overflow vulnerability in the Triangle Microworks DNP3 Outstation Libraries. The vulnerability was reported by Incite Team of Steven Seeley and Chris Anastasio via ZDI. TMW has a new version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to stop the execution of code on affected equipment.

Eaton Advisory

This advisory describes two vulnerabilities in the Eaton HMiSoft VU3. The vulnerabilities were reported by Natnael Samson (@NattiSamson) via ZDI. The HMiSoft VU3 has reached end-of-life and is no longer supported by Eaton.

The two reported vulnerabilities are:

• Stack-based buffer overflow - CVE-2020-10639; and

• Out-of-bounds read - CVE-2020-10637

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerabilities to crash the device being accessed and may allow remote code execution or information disclosure.

Industrial Products Update

This update provides additional information for an advisory that was originally published on September 10^th, 2019 and most recently updated on March 10^th, 2020. The new information includes updated version information and mitigation links for ROX II.

PROFINET Update

This update provides additional information for an advisory that was originally published on October 10^th, 2019 and most recently updated on March 10^th, 2020. The new information includes updated version information and mitigation links for SIMATIC ET200MP IM155-5 PN HF.

TIA Portal Update

This update provides additional information for an advisory that was originally published on January 14^th, 2020. The new information includes updated version information and mitigation links for TIA Portal V16.

SIMATIC PCS 7 Update

This update provides additional information for an advisory that was originally published on February 11^th, 2020 and most recently updated on March 10^th, 2020. The new information includes updated version information and mitigation links for SIMATIC WinCC (TIA Portal) V16.

SIMATIC S7 Update

This update provides additional information for an advisory that was originally published on February 11^th, 2020 and most recently updated on March 10^th, 2020. The new information includes adding SIMATIC WinAC RTX to the list of affected products.

Other Siemens Updates

Siemens also updated five other advisories yesterday. I expect that NCCIC-ICS will address at least two of these, probably later this week.

6 Advisories and 2 Updates Published – 11-14-19

Yesterday the CISA NCCIC-ICS published five control system security advisories for products from ABB, Omron and Siemens (3); and one medical device security advisory for products from Philips. They also updated two previously published advisories for products from Siemens.

ABB Advisory

This advisory describes an authentication bypass using an alternate path or channel vulnerability in the ABB Power Generation Information Manager (PGIM) and Plant Connect monitoring platforms. This vulnerability was reported by Rikard Bodforss. ABB reports that PGIM will transition to a limited support phase in January 2020, and Plant Connect is already obsolete.

NCCIC reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow a remote attacker to bypass authentication and extract credentials from the device.

NOTE: I briefly reported on this vulnerability earlier this month.

Omron Advisory

This advisory describes a use of obsolete function vulnerability in the Omron CX-Supervisor. The vulnerability was reported by Michael DePlante of the Zero Day Initiative. Omron has a new version that mitigates the vulnerability. There is no indication that DePlante has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to result in information disclosure, total compromise of the system, and system unavailability.

Desigo PX Advisory

This advisory describes an external control of assumed immutable web parameter vulnerability in the Siemens Desigo PX automation controllers. The vulnerability was reported by Gjoko “LiquidWorm” Krstic from Zero Science Lab. Siemens has updates that mitigate the vulnerability. There is no indication that Kristic has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow an attacker to cause a denial-of-service condition on the device’s web server, requiring a reboot to recover the web interface.

S7-1200 Advisory

This advisory describes an exposed dangerous method or function vulnerability in the Siemens S7-1200 CPU. The vulnerability was reported by Ali Abbasi from Ruhr University of Bochum. Siemens has provided generic workarounds for this vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit this vulnerability to  expose additional diagnostic functionality to an attacker with physical access to the UART interface during boot process. The Siemens advisory notes that the attacker must have physical access to the UART interface during boot process to exploit the vulnerability (feature).

NOTE: I briefly discussed this vulnerability last weekend.

Mentor Nucleus Advisory

This advisory describes an improper input validation vulnerability in the Siemens Mentor Nucleus Networking Module. The vulnerability was reported by Armis. Siemens has updates that mitigate the vulnerability. There is no indication that Armis was provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow an attacker to affect the integrity and availability of the device. According to the Siemens advisory adjacent network access (but no authentication and no user interaction) is required to exploit the vulnerability

Philips Advisory

This advisory describes an inadequate encryption strength vulnerability in the Philips IntelliBridge EC40 and EC80 data transfer devices. The vulnerability was reported by The Medical Technology Solutions team of NewYork-Presbyterian Hospital. Philips has provided generic workarounds while developing formal mitigation.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit this vulnerability to allow an attacker unauthorized access to the IntelliBridge EC40/80 hub and may allow access to execute software, modify system configuration, or view/update files, including unidentifiable patient data.

PROFINET Update

This update provides additional information on an advisory that was originally published on October 10^th, 2019. The new information includes new affected version information and mitigation measures for:

• SINAMICS S120 V4.7;

• SINAMICS S150;

• SINAMICS G130 V4.7;

• SINAMICS G150; and

• SINAMICS SL150 V4.7

Industrial Products Update

This update provides additional information on an advisory that was was originally published on September 10^th, 2019 and most recently updated on October 8^th, 2019. The new information includes:

• Updated version information and mitigation link for SIMATIC MV500; and

• Removed SIMATIC RF166C from affected products.

Other Siemens Updates

On Tuesday Siemens also published two other advisory updates that have not yet been addressed by NCCIC-ICS, nor do I expect them to be addressed as the underlying vulnerabilities have not been reported by NCCIC-ICS. I will report on them tomorrow.